The present invention relates to secure communications between a client and a server, and, in particular, to secure communications utilizing the Secure Socket Layer (SSL).
In communications between a client and a server, it is often beneficial to provide increased security. One mechanism for providing increased security is through the use of the Secure Socket Layer (SSL) protocol. FIG. 1 illustrates a conventional SSL connection between a client 10 and a server 12. As seen in FIG. 1, the client 10 communicates directly with the server 12 utilizing the SSL connection 16.
The SSL Protocol may provide privacy and reliability between two communicating applications. The SSL protocol utilizes two layers, the lowest layer of which is the SSL Record Protocol, which is layered on top of a communications protocol such as TCP/IP. The SSL Record Protocol encapsulates higher level protocols such as the SSL Handshake Protocol. The SSL Handshake Protocol allows the server and client to authenticate each other and to establish an encryption method and keys.
One advantage of SSL is that it is application protocol independent. A higher level protocol can layer on top of the SSL Protocol transparently. Thus, the SSL protocol provides connection security where encryption is used after an initial handshake to define a secret key, and where the communication partner""s identity can be authenticated using asymmetric, or public key, cryptography such as RSA. Details on SSL communications may be found in U.S. Pat. No. 5,657,390 entitled xe2x80x9cSECURE SOCKET LAYER APPLICATION PROGRAM APPARATUS AND METHOD,xe2x80x9d the disclosure of which is incorporated herein by reference as if set forth fully herein.
One problem associated with the use of SSL between a client and a server is that establishing an SSL connection may impose a substantial burden on a server. For example, if a server has multiple SSL connections to clients, the creation of an additional SSL connection may adversely impact on the performance of transactions to other clients through the utilization of server processing resources to establish the additional connection.
One approach to reducing the performance degradation of a server as a result of the use of SSL connections is through the use of an SSL proxy server as illustrated in FIG. 2. An SSL proxy server may be dedicated to establishing SSL connections and, therefore, may quickly establish an SSL connection as well as provide hardware decryption so as to relieve the burden imposed on the server by the SSL connection. As seen in FIG. 2, a client 10 communicates with the SSL proxy server 14 over an SSL connection 16. The SSL proxy server 14 then communicates with the server 12 over a non-secure connection 18. In such a case, however, the security between the client 10 and the server 12 may be lost between the SSL proxy server 14 and the server 12. Furthermore, the client identity information contained in the SSL communications may also be lost between the SSL proxy server 14 and the server 12.
The system of FIG. 3 illustrates the use of an SSL proxy server 14 where SSL connections 16, 16xe2x80x2, 20 and 20xe2x80x2 are established between the SSL proxy server 14 and both the clients 10 and 10xe2x80x2 and the server 12. As seen in FIG. 3, for each SSL connection 16, 16xe2x80x2 between the client 10 and 10xe2x80x2 and the SSL proxy server 14, there is a corresponding SSL connection 20, 20xe2x80x2 established between the SSL proxy server 14 and the server 12 which acts as a pipe through the SSL proxy server 14 to the server 12. However, the system of FIG. 3, while providing security between the SSL proxy server 14 and the server 12, may still result in performance degradation of server 12 as a result of the use of the SSL connections 20, 20xe2x80x2 for each client 10, 10xe2x80x2.
In light of the above discussion, a need exists for improvements in the use of SSL communications between clients and servers.
In view of the above discussion, it is an object of the present invention to provide for improved performance in communications between clients and servers utilizing the SSL protocol.
A further object of the present invention is to reduce the impact of the use of SSL protocols on the performance of a server while maintaining the security and client identity provided by such protocols.
Still another object of the present invention is to improve the scalability of server applications utilizing SSL communications.
These and other objects of the present invention may be provided by methods, systems, and computer program products which communicate between client applications and a transaction server by establishing a persistent secure connection between the transaction server and a Secure Socket Layer (SSL) proxy server. A first session specific SSL connection, different from the persistent secure connection, is also established between a first client application and the SSL proxy server. Communications between the first client application and the SSL proxy server transmitted over the first session specific SSL connection are then forwarded to the transaction server over the persistent secure connection. Furthermore, a second session specific SSL connection between a second client application and the SSL proxy server may also be established and the communications between the second client application and the SSL proxy server transmitted over the second session specific SSL connection may also be forwarded to the transaction server over the persistent secure connection. Preferably, the persistent secure connection is an SSL connection.
By establishing a persistent secure connection between the SSL proxy server and the transaction server, the overhead and burden of establishing a connection each time a client makes an SSL connection may be reduced. Furthermore by utilizing the persistent secure connection for multiple SSL connections, the performance of the transaction server may be maintained even in the presence of numerous SSL client connections because the transaction server is not burdened with establishing a connection for each SSL connection. Thus, the present invention may be readily scaled to accommodate increased numbers of SSL clients by adding additional SSL proxy servers without a corresponding burden on the transaction server. Furthermore, because the persistent connection is secure, the security of the communications with the client is not lost between the SSL proxy server and the transaction server.
In a further embodiment of the present invention, client identification information extracted from the communications between the client application and the SSL proxy server is provided to the transaction server in a message transmitted to the transaction server over the persistent secure connection. Such a message may be created by incorporating the client identification information as a message header of the message and transmitting the message with the message header to the transaction server over the persistent secure connection. The transaction server may receive the message transmitted over the persistent secure connection and extract from the message the client identification information. Content information may also be extracted from the communications over the SSL connection with the client. The client identification information and the extracted content information may then be provided to a transaction server application associated with the transaction server.
In an alternative embodiment which provides client identification information to the transaction server, a second connection between the SSL proxy server and the transaction server is established. The client identification information and content information are extracted from the communications over the SSL connection with the client application. The client identification information is then transmitted to the transaction server over the second connection and the content information transmitted to the transaction server over the persistent secure connection. The content information transmitted over the persistent secure connection and the client identification information transmitted over the second connection may then be received by the transaction server and provided to a transaction server application associated with the transaction server.
By providing the client identification information to the transaction server, either in a message over the persistent secure connection or over a separate connection, information from the SSL connection with the client is not lost through the use of the SSL proxy server. Thus, the utilization of a persistent secure connection to an SSL proxy server may be transparent to a server application executing on the transaction server.
In a further embodiment of the present invention, a system for communicating with client applications is provided. The system, preferably includes an SSL proxy server operable for establishing Secure Socket Layer (SSL) connections with the client applications and a transaction server. A persistent secure connection between the SSL proxy server and the transaction server over which communications received over the SSL connections with the client applications are multiplexed is also provided. Preferably, the persistent secure connection comprises an SSL connection between the SSL proxy server and the transaction server.
The SSL proxy server may multiplex communications from the client applications onto the persistent secure connection and de-multiplex communications from the persistent secure connection onto the SSL connections with the client applications.
The system may also provide a second connection between the SSL proxy server and the transaction server operable to provide client identification information associated with communications over the persistent secure connection to the transaction server. The second connection may also be a persistent connection. In such a case it is also preferred that the transaction server match client identification information received over the second connection with the associated communications received over the persistent secure connection to provide the client identification and the associated communications received over the persistent secure connection to a server application.
As will further be appreciated by those of skill in the art, the present invention may be embodied as methods, apparatus/systems and/or computer program products.